{
	"id": "2b57f2eb-09a0-4dd4-b427-d4299268c900",
	"created_at": "2026-04-06T00:14:01.973662Z",
	"updated_at": "2026-04-10T13:12:21.206112Z",
	"deleted_at": null,
	"sha1_hash": "22f9271c526748fc61610a6854dd8c662957b4ec",
	"title": "Internet Explorer 0-day exploited by North Korean actor APT37",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48212,
	"plain_text": "Internet Explorer 0-day exploited by North Korean actor APT37\r\nBy Clement Lecigne\r\nPublished: 2022-12-07 · Archived: 2026-04-05 19:10:22 UTC\r\nB\r\nBenoit Sevens\r\nThreat Analysis Group\r\nTo protect our users, Google’s Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild. This blog will describe a 0-day vulnerability, discovered by TAG in late October 2022, embedded in\r\nmalicious documents and used to target users in South Korea. We attribute this activity to a group of North Korean\r\ngovernment-backed actors known as APT37. These malicious documents exploited an Internet Explorer 0-day\r\nvulnerability in the JScript engine, CVE-2022-41128. Our policy is to quickly report vulnerabilities to vendors,\r\nand within a few hours of discovering this 0-day, we reported it to Microsoft and patches were released to protect\r\nusers from these attacks.\r\nThis is not the first time APT37 has used Internet Explorer 0-day exploits to target users. The group has\r\nhistorically focused their targeting on South Korean users, North Korean defectors, policy makers, journalists and\r\nhuman rights activists.\r\nMicrosoft Office document using tragic news as a lure\r\nOn October 31, 2022, multiple submitters from South Korea reported new malware to us by uploading a Microsoft\r\nOffice document to VirusTotal. The document, titled “221031 Seoul Yongsan Itaewon accident response situation\r\n(06:00).docx”, references the tragic incident in the neighborhood of Itaewon, in Seoul, South Korea during\r\nHalloween celebrations on October 29, 2022. This incident was widely reported on, and the lure takes advantage\r\nof widespread public interest in the accident.\r\nThe document downloaded a rich text file (RTF) remote template, which in turn fetched remote HTML content.\r\nBecause Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to\r\ndistribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199). Delivering IE exploits via this vector has\r\nthe advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit\r\nwith an EPM sandbox escape.\r\nUpon investigation, TAG observed the attackers abused an 0-day vulnerability in the JScript engine of Internet\r\nExplorer.\r\nTAG identified Internet Explorer 0-day\r\nThe vulnerability resides within “jscript9.dll”, the JavaScript engine of Internet Explorer, and can be exploited to\r\nexecute arbitrary code when rendering an attacker-controlled website. The bug itself is an incorrect JIT\r\nhttps://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/\r\nPage 1 of 3\n\noptimization issue leading to a type confusion and is very similar to CVE-2021-34480, which was identified by\r\nProject Zero and patched in 2021. TAG reported the vulnerability to Microsoft on October 31, 2022, and the label\r\nCVE-2022-41128 was assigned on November 3, 2022. The vulnerability was patched on November 8, 2022.\r\nAnalysis of the exploit\r\nIn a typical delivery scenario, the initial document would have the Mark-of-the-Web applied. This means the user\r\nhas to disable protected view before the remote RTF template is fetched.\r\nWhen delivering the remote RTF, the web server sets a unique cookie in the response, which is sent again when\r\nthe remote HTML content is requested. This likely detects direct HTML exploit code fetches which are not part of\r\na real infection.\r\nThe exploit JavaScript also verifies that the cookie is set before launching the exploit. Additionally it reports twice\r\nto the C2 server: before launching the exploit and after the exploit succeeds.\r\nTAG also identified other documents likely exploiting the same vulnerability and with similar targeting, which\r\nmay be part of the same campaign. Further details on those documents can be found in the “Indicators” section\r\nbelow.\r\nThe delivered shellcode uses a custom hashing algorithm to resolve Windows APIs. The shellcode erases all traces\r\nof exploitation by clearing the Internet Explorer cache and history before downloading the next stage. The next\r\nstage is downloaded using the same cookie that was set when the server delivered the remote RTF.\r\nAlthough we did not recover a final payload for this campaign, we’ve previously observed the same group deliver\r\na variety of implants like ROKRAT, BLUELIGHT, and DOLPHIN. APT37 implants typically abuse legitimate\r\ncloud services as a C2 channel and offer capabilities typical of most backdoors.\r\nAdditional technical information on the vulnerability, the exploit and the patch, is available in the Root Cause\r\nAnalysis.\r\nConclusions\r\nTAG is committed to sharing research to raise awareness on bad actors like APT37 within the security community,\r\nand for companies and individuals that may be targeted. By improving understanding of the tactics and techniques\r\nof these types of actors, we hope to strengthen protections across the ecosystem. We will also continuously apply\r\nthese findings to improve the safety and security of our products and continue to effectively combat threats and\r\nprotect users who rely on our services.\r\nWe’d be remiss if we did not acknowledge the quick response and patching of this vulnerability by the Microsoft\r\nteam.\r\nIndicators of compromise (IOCs)\r\nInitial documents:\r\n56ca24b57c4559f834c190d50b0fe89dd4a4040a078ca1f267d0bbc7849e9ed7\r\nhttps://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/\r\nPage 2 of 3\n\naf5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf\r\n926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f\r\n3bff571823421c013e79cc10793f238f4252f7d7ac91f9ef41435af0a8c09a39\r\nc49b4d370ad0dcd1e28ee8f525ac8e3c12a34cfcf62ebb733ec74cca59b29f82\r\nRemote RTF template:\r\n08f93351d0d3905bee5b0c2b9215d448abb0d3cf49c0f8b666c46df4fcc007cb\r\nC2:\r\nword-template[.]net\r\nopenxmlformat[.]org\r\nms-office[.]services\r\nms-offices[.]com\r\ntemplate-openxml[.]com\r\nRelated stories\r\nSource: https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/\r\nhttps://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/"
	],
	"report_names": [
		"internet-explorer-0-day-exploited-by-north-korean-actor-apt37"
	],
	"threat_actors": [
		{
			"id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e",
			"created_at": "2025-08-07T02:03:25.082908Z",
			"updated_at": "2026-04-10T02:00:03.744649Z",
			"deleted_at": null,
			"main_name": "NICKEL FOXCROFT",
			"aliases": [
				"APT37 ",
				"ATK4 ",
				"Group 123 ",
				"InkySquid ",
				"Moldy Pisces ",
				"Operation Daybreak ",
				"Operaton Erebus ",
				"RICOCHET CHOLLIMA ",
				"Reaper ",
				"ScarCruft ",
				"TA-RedAnt ",
				"Venus 121 "
			],
			"source_name": "Secureworks:NICKEL FOXCROFT",
			"tools": [
				"Bluelight",
				"Chinotto",
				"GOLDBACKDOOR",
				"KevDroid",
				"KoSpy",
				"PoorWeb",
				"ROKRAT",
				"final1stpy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bbe36874-34b7-4bfb-b38b-84a00b07042e",
			"created_at": "2022-10-25T15:50:23.375277Z",
			"updated_at": "2026-04-10T02:00:05.327922Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"APT37",
				"InkySquid",
				"ScarCruft",
				"Group123",
				"TEMP.Reaper",
				"Ricochet Chollima"
			],
			"source_name": "MITRE:APT37",
			"tools": [
				"BLUELIGHT",
				"CORALDECK",
				"KARAE",
				"SLOWDRIFT",
				"ROKRAT",
				"SHUTTERSPEED",
				"POORAIM",
				"HAPPYWORK",
				"Final1stspy",
				"Cobalt Strike",
				"NavRAT",
				"DOGCALL",
				"WINERACK"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "552ff939-52c3-421b-b6c9-749cbc21a794",
			"created_at": "2023-01-06T13:46:38.742547Z",
			"updated_at": "2026-04-10T02:00:03.08515Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"Operation Daybreak",
				"Red Eyes",
				"ScarCruft",
				"G0067",
				"Group123",
				"Reaper Group",
				"Ricochet Chollima",
				"ATK4",
				"APT 37",
				"Operation Erebus",
				"Moldy Pisces",
				"APT-C-28",
				"Group 123",
				"InkySquid",
				"Venus 121"
			],
			"source_name": "MISPGALAXY:APT37",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434441,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22f9271c526748fc61610a6854dd8c662957b4ec.pdf",
		"text": "https://archive.orkl.eu/22f9271c526748fc61610a6854dd8c662957b4ec.txt",
		"img": "https://archive.orkl.eu/22f9271c526748fc61610a6854dd8c662957b4ec.jpg"
	}
}